Native Implementation of WASIp1 in Wasmtime Affected by Resource Leak
CVE-2026-54786
What is CVE-2026-54786?
The Wasmtime runtime for WebAssembly is subject to a resource leak due to an issue in the native implementation of WASIp1. The vulnerability specifically lies within the fd_renumber function, where the renumbered file descriptor is not adequately closed, leading to resource exhaustion on the host side. This leak occurs because while the function appears to work correctly for the guest, it fails to update the host's underlying table of descriptors. As a result, when called repetitively, guests can deplete host resources, including file descriptors, unless properly mitigated. The vulnerability impacts versions of Wasmtime that allow file descriptor access via core wasm modules, making it imperative to update to the patched versions to ensure proper resource management.
Affected Version(s)
wasmtime < 24.0.10 < 24.0.10
wasmtime >= 25.0.0, < 36.0.11 < 25.0.0, 36.0.11
wasmtime >= 37.0.0, < 44.0.3 < 37.0.0, 44.0.3
